Testing DNSSEC with Dig

Dig is a command-line tool to query a nameserver for DNS records. For instance, dig can ask a DNS resolver for the IP address of www.cloudflare.com (The option +short outputs the result only):

$ dig www.cloudflare.com +short
198.41.215.162
198.41.214.162

Use dig to verify DNSSEC records. In the example below, the last line of output is the RRSIG record. RRSIG is the DNSSEC signature attached to the record. With the RRSIG, a DNS resolver determines whether a DNS response is trusted.

Dig also retrieves the public key used to verify the DNS record. A domain's DNS records are all signed with the same public key. Therefore, query for the root domain's public key, not the subdomain's public key:

Viewing the DNSSEC Chain of Trust with Dig

Full verification of domain signatures (for example: cloudflare.com) involves verifying the key-signing key at the top-level-domain (for example: .com). Similar verification is then performed by checking the key-signing key of .com at the root server level. DNSSEC root keys are distributed to DNS clients to complete the trust chain.

When DNSSEC is enabled, a DS record is required at the registrar's DNS. The DS record contains a hash of the public key-signing key as well as metadata about the key.

When using the +trace option, dig confirms whether an answer is returned by the nameserver for cloudflare.comor the nameserver for .com. In this example, the DS record for cloudflare.com is returned by e.gtld-servers.net:

In the above example, DNSSEC is misconfigured if a proper DNS response is received when using the +cd option but queries using DNSSEC return a SERVFAIL response. This issue often happens when authoritative nameservers are changed but DS records are not updated. The issue can also occur if an attacker attempts to forge a response to a query.

Troubleshooting DNSSEC Validation using DNSViz

If DNSViz has never analyzed the site before, click the Analyze button that appears.

If the site has been analyzed by DNSViz before, click the Update Now button that appears.

Example without DNSSEC

Below is an example of a working domain without DNSSEC as diagrammed by dnsviz.net:

Example with correct DNSSEC

Below is an example of a domain with functioning DNSSEC records between the TLD nameservers and the authoritative nameservers for cloudflare.com:

Example with missing or incorrect RRSIG record on authoritative nameserver

Below is an example of how dnsviz.net will display incorrect delegation when no valid DNSKEY records are provided by the authoritative nameserver to match the DS record published by the TLD nameserver:

Next steps

If a problem is discovered with DNSSEC implementation, contact the domain's registrar and confirm the DS record matches what the authoritative DNS provider has specified. If Cloudflare is the authoritative DNS provider, follow the instructions for configuring DNSSEC with Cloudflare.